PGNd
2014-Aug-20 15:05 UTC
overriding traffic DROP:P'd in /conntrack. when/where to ACCEPT?
I use IPSETs in SW for mass access blocking. The block's in /conntrack /conntrack ?FORMAT 3 NOTRACK +IPBLACKLIST_IP - NOTRACK +IPBLACKLIST_NET - DROP:P +IPPESTS_IP - DROP:P +IPPESTS_NET - ... Those blacklists are populated by exernal feeds. I do not edit/modify individual elements; simply retrieve the data and load the IPSETs. It works as expected. I want to punch a specific hole for accessing webcontent, from my LAN, @ a specific IP range that's been blanket-included in the above blacklist. I create a hash:ip & hash:ip IPSETs containing the ip range to be whitelisted, and allow the traffic in /rules /rules ... ACCEPT $FW net:+IPWHITELIST_IP,+IPWHITELIST_NET tcp ACCEPT lan net:+IPWHITELIST_IP,+IPWHITELIST_NET tcp ... This does NOT open the access; it remains blocked. I suspect it's because the DROP:P is in pre-routing chain, and I'm not ACCEPTing early enough. Given the global block in /conntrack should stay as is, what's the right way to punch specific, whitelisted holes in the blacklists? ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/